Skip to end of metadata
Go to start of metadata

Chair: @Kathleen Connor

Scribe: @Suzanne Gonzales-Webb 

Weekly calls Tuesdays 3PM ET

FreeConferenceCall Online Meeting Link

Dial-in Number (United States): (515) 604-9567 Access Code: 880898#

Agenda Topics 

 Minutes Approval


2019-10-22 Security WG Agenda/Minutes

Motion to Approve with amendment to update # of approval 10/22 Minutes :   (

Moved: JohnM  Second: Mohammad

Approve: 12-Abstain: 0-Oppose: 0

Sequoia CUI Discussions

Mike Davis

CUI Machine-Readable/Computable IG. 

This is a new project to produce an IG in support of US realm implementation of HL7 Data Segmentation/labeling of messaging from US federal to recipients.  Two ppts have been created that outline the requirements for this IG in detail.  Call for approval and creation of PSS/IG

We have been working with sequoia.  This is US Realm. 

  • desire to have machine readable/computable.  Sequoia is requesting that we produce a general IG to cover v2, CDA and FHIR in moving forward for ONC efforts.  Sequoia would like an IG with gravitas—an IG standard.  Sequoia sees the benefit of work in security labels in general, more specifics on how HL7 Security Label IG as well.  Security WG to produce an IG for v2, CDA, FHIR for both CUI and security labels.
  • proposal is to create an IG (US Realm)
  • does Sequoia have people/resources to offer review, work on this project?  The VA is in support of this effort–and will have the lion share of this effort

Next step is to draft a proposal with basic outline of project scope–specialization of DS4P and FHIR - 

  • is the idea of cross paradigm acceptable? (Yes, per Mike); if we're looking at going forward with TEFCA this is what we're looking toward

Controlled Unclassified Information (CUI) Problem and Solutions

MOTION: Create a X-Paradigm IG covering security labeling cross the family, including wrappers. 

(Mike / 

Discussion: I don't believe we need a motion to create a PSS, question on resourcing has not been answered.  Moving forward with the PSS may answer the question.

No Vote made (no second to motion)

A PSS will be created and brought back to the WG for discussion

EPIC Access Control

Isaac Vetter - Presentation on EPIC's approach to granular access control and how it fits with standards we have in place (e.g., security labels) and guidance we would like to develop on granular scopes etc. 

Discussion pushed to 11/5 call
DaVinci IG Privacy and Security Considerations

Continue discussion 10/29 because DaVinci team has conflicts

Mohammad Jafari and Kathleen offer additional Privacy and Security Considerations for

PDex US Drug Forumlary

DaVinci PDex Plan Net IG

John suggested possible additions to Security Module AnonymousRead, or BusinessSensitive classifications as well.

ACTION: Craft on FHIR-Security call. to work on appropriate language with John Moehrke JohnM (and others via e-mail)

Share with Protection - Technical Approaches

This is a general IG

November Harmonization

Kathleen - Submitted 6 initial proposals. Last meeting 3 were approved, and 3 pended for completion.  WG needs to review the pending 3. See Proposals November Harmonization

review of Harmonization Proposals

4 - (typo)

5 - CDS Compartment (final approval from CBCP once Kathleen has spoken to WG)

6 - Specialize MDHHS-5515 (Michigan consent to care), change is due to change in law

Harmonization Dates: Initial proposals due 10/26; final submissions due 11/29; Harmonization meeting scheduled for 12/15.

MOTION: for Security WG to co-sponsor Harmonization Proposals 4,5,6 (Suzanne/no second)

Discussion: These are initial proposals, so there is time for refinement)

FHIR Security

John Moehrke - call cancelled.  He discussed his effort to get more participants on the FHIR Security calls.

Hi FHIR and Security community

We have not been getting good attendance at the scheduled FHIR Security call. I want to find a better time to hold these weekly meetings. I want to get more participation from those that are addressing security problems.  

Looking for those interested, so that I can assure a doodle poll starts with a good core group.

These topics include some discussions that have popped up on zulip, but have never been brought to the security workgroup

* Basic Provenance in FHIR

* AuditEvent supporting Patient Empowerment

* Additional guidance for the core security pages

* Security around FHIR Subscription 

* Security around bulk-data access

* Security around multi-organization interactions (e.g. HIE)

* App dynamic registration

* Updating of SMART-on-FHIR with next kind of use-case (tbd)

* Templating of IG to drive Security Considerations

* Templating of IG to drive consistent use of Provenance, AuditEvent, and Signatures

* Definition of a new Resource for Permission use-cases 

* Creation of a library of security/privacy focused IG that can be included in 'other' IG as modular security solutions (similar to how SMART-on-FHIR is used today, but supporting other security models). This might be where the subscription, bulk-data, and multi-organization solutions are organized for easy use.

First I want to get in touch with people who might want to participate. From that group we will define a set of potential timeslots to put into a doodle poll to find a new timeslot. Please contact me directly if you are interested in the above topics.

If no one shows interest, then the above items will continue to be dreams...

Note the call time has moved to 1PM ET, which is the hour after the CBCP calls.

Discussion thread on Zulip @

INFRASD vote on DaVinci Alert Notification

PSS for DaVinci FHIR Alerts (Notifications) IG - Security cochairs need to vote.

Project Scope:

Currently, ADT exchange approaches typically use HL7 V2 ADT messages. This a legacy EDI-style technology that uses HL7 specific protocols over ports that are not typically exposed to the internet. While HL7 V2 works well within the confines of a hospital system's intranet, it is not particularly well suited to cross-enterprise data exchange.

FHIR resources can be used to transport patient information relevant to a specific event (e.g. admission, discharge, change in treatment, new diagnosis) to another provider or the health plan to communicate the details of where care was delivered and help to ensure timely follow-up as needed. Health care stakeholders are increasingly responsible for knowing what care their patients have received and what care they need, regardless of where the patient sought care. This information can be used to build an encounter record in the receiving system with appropriate provenance and make it available to CDS and other local services.

Recommend that Security vote affirmative if the PSS Scope section includes the following statement

This project will note use case specific Privacy and Security Considerations, such as:  “Implementers of the FHIR Alerts IG must be aware of (and adhere to) their responsibilities with respect to data sharing imposed by policy such as the need for providers and intermediaries to determine:

(1) whether payer recipients have or have had a relationship with the patient,

(2) that there are no consent directives required for sharing additionally protected information (e.g., a 42 CFR Part 2) or restricting the sharing (e.g., HIPAA consent for self-paid services) of the patient’s information, and

(3) that a FHIR Alert only includes the minimum necessary information required for a payer only for HIPAA Payment purposes, and for the care coordination and conduct care management activities permitted under HIPAA Operations.

This may involve allowing providers to review information prior to data transmission to the payer.  Implementations SHALL permit provider review of data prior to transmission, but SHALL NOT require such review.”

(This comment is based on the approved resolution to my DaVinci PAS comment 24178.)

Discussion on CUI requirements - they seem to call for more than codes.  (JohnM) 

  • issue one there is a need to indicate on the code who was the authority on the code to allow for a downstream questioning
  • issue two / banner function; discusses through document header/footers but is unclear how that translates in CDA (but not in FHIR where there is no UI)
  • issue three - can't remember; a need to indicate the policy that caused that CUI code to be choses (but that might have been a different use case)

Encourage group to hop into ZULIP and provide opinions; join FHIR Security Meeting

  • needs a core set of people for participation and then will send out a doodle poll for their available times

Need to determine the scope of request for this Infrastructure Steering Division before discussing further.


Mike Davis - Consent approach in

Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act

116TH CONGRESS 1ST SESSION S. 2658 To promote competition and reduce consumer switching costs in the provision

of online communications services.

There would be a third party user to manage i.e. Facebook or google account.  Its an interesting idea since we're looking at patients managing their data00something to follow for future capability for choices on protecting their data on a global manner.  may solve the sharing problem, where patients manage their information without knowing the details of their provider details...wherein a third party manages the information.

PSAF Provenance Volume 3 Ballot Reconciliation

Kathleen - Discuss proposed resolutions for block votes

Bernd Blobel editorial comments  5, 42 - 57may be resolved without substantive changes across all PSAF volumes.  Recommended disposition:  Vote Persuasive - will make these non-substantive changes to align the references in all PSAF volumes with updated references.

HL7 Netherlands Affiliate votes  2, 12, 13, 29 are duplicate comments:

There is international agreement to apply ISO 23903 to ascertain the use of multiple standards in a layer or stack, or architecture. The HL7 v3 Privacy and Security Architecture Framework does not apply this, making it difficult for policy makers, business analysts and architects to set up a solid business approach in which the privacy and security architecture framework can. This ISO 23903 is an important requirement to apply the Framework in conjunction with other standards like architectures, messages, EHR-S standards, clinical models and more.

Recommended disposition: Vote Note Related: ISO 23903 is still a draft standard. There is no agreement that HL7 must align with this draft standard. All of the other PSAF Volumes were approved as normative without this comment. Only PSAF Volume 3 was in scope @ 201909 ballot. Security WG will consider ISO 23903 once adopted in any future updates to PSAF if this specification is made freely available to HL7 members. 

Deferred for Block Votes on 11/5

Share with Protections

Mike Davis

Update on SwP Part 1 and Part 2 (to be presented Drafts).  Recommend FHIR IG PSS for SwP. 

Slide decks and Sharing with Protections paper are available on Security WG Confluence site
(SP) 800-207, Zero Trust Architecture

Mike Davis: Should HL7  Sec WG provide comments on NIST Zero Trust Architecture relevant to standards work?  Reference HL7’s PSAF Vol 1 with links to relevant sections such as Fig 7, 9, 12, 18 etc.

Federal Health IT Strategic Plan

Mike Davis Should HL7 security comment on Federal Health IT Strategic Plan –

    • Individuals perform on their own some of the activities that traditionally occur only in formal health care settings (e.g., monitoring blood pressure, tracking body mass index). An increasing number of individuals want the ability to use technology to track and improve upon their health goals, and want technology to be helpful and easy to use.
    • How does HL7 support objective 4b?

WGM Report out

Kathleen - Draft WGM Minutes - in process. 

16 SEP 2019 SEC WGM Minutes

17 SEP 2019 SEC WGM Minutes

18 SEP 2019 SEC WGM Minutes

Splitting PSAF - Mikepostponed discussion to next week 
AdjournmentMeeting adjourned at

Temporary Meeting Recording:


@Adam Wong adam.wong@hhs.govHHS
HL7 Austria
Wave One

Chris Shawn, Co-Chair

 Ready Computing
 @David Staggs drs@securityrs.comSRS 
Dave Hill dwhill@mitre.orgMITRE

Heather McComas AMA 
Jim KamperAltarum

John Davis (Mike)


John Moehrke Co-Chair

Julie Chan jchan@cwglobalconsult.comHL7 FHIR

Kathleen Connor  Co-Chair

VA (Book Zurman)
Laura Bright
Laura Hoffman laura.hoffman@ama-assn.orgAMA
EMR Direct
Matthrew Reid matt.reid@ama-assn.orgAMA
VA (Book Zurman)
 PJM Consulting
Trustworthy EHR 

@Ricky Sahu,  

1up Health

Robert Dieterle

Saul Kravitz saul@mitre.orgMITRE

Stephen MacVicar smacvicar@mitre.orgMITRE
VA (Book Zurman)
Terence Cunningham (Terry) AMA

@Trish Williams Co-ChairFlinders University

  • No labels